Article 22 GDPR
Automated decision-making in individual cases, including profiling

1. The data subject has the right not to be subject to a decision that is based solely on automated processing, including profiling, and that produces legal effects on the person or similarly significantly affects the person.

2. Paragraph 1 shall not apply if this decision:

(a) is necessary for the conclusion or execution of a contract between the data subject and the controller;

(b) is permitted by the law of the Union or the law of the Member State to which the administrator is subject and which provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; or

(c) is based on the explicit consent of the data subject.

3. In the cases referred to in paragraph 2(a) and (c), the controller shall implement appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention on the part of the controller, to express his or her own position and to contest the decision.

4. The decisions referred to in paragraph 2 may not be based on the special categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and there are appropriate safeguards to protect the rights, freedoms, and legitimate interests of the data subject.